Page 49 - Cyber Warnings
P. 49
Whittle that risk down as much as possible. Here’s some thoughts on vetting the
provider:
o Will the application be hosted internally or externally? Today’s discussion
focuses on data-sharing, but clearly this is a non-issue if the data your internally-
hosted application uses never leaves your company’s doors. Your risk profile just
got quite a bit smaller!
o What kind of data are you sharing? A breach is a breach, but some breaches
have more implications than others. We need only consider lost credit card data
and the accompanying PCI ramifications to appreciate this. Ask yourself (and ask
the prospect)- is the vendor PCI compliant? Have they met HIPPAA guidelines…
other business-specific standards? Is an SSAE-16 on file and available? And,
remember, today’s business drivers shouldn’t be your only barometer. Look
down the road too. Is the data that’s out-sourced now representative of what your
business area will want to send a year from now? No one has a crystal ball, but
some forward-thinking now can save a lot of headaches later.
o How is the data moving across the transom? A VPN connection helps with data
encryption and is generally more secure, but how practical is it? If your vendor is
using older technology, that can come back to haunt you.
o What happens to your data after it reaches your vendor? Is it stored separately,
or co-mingled with other firm’s information? Is the data securely protected (think
firewalls, IDS, etc. here). Who has access to that information? Is it sold or
otherwise moved off the vendor’s site? These questions give rise to others- is
your prospects disaster recovery plan current and tested regularly? Their data
breach plan? Most of the questions you answer to while reviewing your own
organization’s security are questions you should pose to the prospect vendor…
Let’s assume you’ve answered these questions to your satisfaction though. You’ve chosen a
vendor. Naturally, your business area is frothing at the mouth…anxious to book deals and
make money! Time to sign the contract and send some files? No….not quite. While you have a
clearer understanding of what your vendor offers, you and your business areas have another
job to complete- easily as important as Step One.
Your organization must establish just what the provider (and your firm!) are responsible for in
this new relationship.
In the event your vendor is breached, a weak agreement (vague and high-level…the kind of
agreement where your firm is left holding the bag), is worthless. And unfortunately, this
probably happens all too often. How often has that contract been pulled out of some dusty
drawer after a late Friday afternoon ‘we’ve been breached!’ phone call? If you can see yourself
falling into that category, brace for the worst.
When to negotiate that agreement is all-important too. It’s hard to overstate how important it is
to assign these responsibilities at the onset. Your business- seeking vendor is going to be more
motivated to work with you on this now than he will be after the deal’s signed.
49 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
